Current trends and challenges in post-quantum cryptographysgal018/ANTS2018.pdf · Plan I Post-quantum cryptography and the NIST \process" I Computational problems from isogenies I

$Page 1: Current trends and challenges in post-quantum cryptographysgal018/ANTS2018.pdf · Plan I Post-quantum cryptography and the NIST \process" I Computational problems from isogenies I$
Current trends and challenges in post-quantumcryptography

Steven Galbraith

University of Auckland, New Zealand

Steven Galbraith Post-quantum cryptography

Thanks

I Eric Bach, Joshua Holden, Jen Paulhus, Andrew Shallue,Renate Scheidler, Jonathan Sorenson.

I Hilary Heffley.

I David Kohel, Bryan Birch, Victor Miller, Florian Hess,Nigel Smart, Alfred Menezes, Scott Vanstone, David Jao,Drew Sutherland, Gaetan Bisson, Christophe Petit, Lucade Feo.

I Anton Stolbunov, Ilya Chevyrev, Chang-An Zhao,Fangqian (Alice) Qiu, Christina Delfs, Barak Shani, YanBo Ti, Javier Silva, Joel Laity.

I Thanks to you for waking up after the banquet.


Plan

I Post-quantum cryptography and the NIST “process”

I Computational problems from isogenies

I Crypto based on group actions/homogeneous spaces

I Crypto based on homomorphisms with co-prime kernels

I Open problems

Intended audience: experts in elliptic curves who don’t knowmuch crypto.

Goal: Convince you to work on PQ Crypto and isogenies.

*** Footnotes are corrections added after the talk. ***


Quantum Computing

I Quantum computing was proposed by: Paul Benioff(1980), Yuri Manin (1980), Richard Feynman (1982) andDavid Deutsch (1985). [wikipedia]

I Peter Shor (1994): polynomial-time quantum algorithmfor integer factorisation and discrete logs.

I Late 1990s: Breakthrough in quantum computing around“10 years away”.

I Dave Wecker (Microsoft) invited talk at PQ Crypto 2018:Microsoft will have a quantum computer suitable forchemistry applications within 5 years and “something ofinterest to this crowd” in 10 years.


Quantum computer or microbrewery?


Quantum computer or microbrewery?


Interesting quantum computer algorithms for numbertheory

I Integer factoring record by Shor’s algorithm on a quantumcomputer is 21.The integer 56153 has been factored using an “adiabaticquantum computer”.

I Computing class group and unit group structure,generators for principal ideals etc.Nice survey: Childs and van Dam “Quantum algorithmsfor algebraic problems” (2010).

I Given p and f (x) = ( x+sp

) to compute s.Efficient quantum algorithm due to van Dam, Hallgrenand Ip.

I What else will quantum computers do for AlgorithmicNumber Theory?


QUANTS


NIST standardisation process

I August 2015: NSA Information Assurance Directorateproposed “a transition to quantum resistant algorithms inthe not too distant future”.

I February 2016: NIST preliminary announcement ofstandardization plan.

I December 2016: Request for Nominations for Public-KeyPost-Quantum Cryptographic Algorithms

I November 2017: Submission deadline

I April 2018: First NIST PQC Standardisation Conference

I Mid-late 2019: Selections to the second round

I Draft standards expected around 2023-2025


NIST submissions

I 69 submissions accepted, 5 withdrawn already.

I Roughly 23

are key exchange/public key encryptionschemes, and roughly 1

3are public key signatures.

I Mathematical foundation: Lattices, coding-theory,multivariate polynomial systems, hash trees, non-abeliangroups, isogenies.

I Each offers different tradeoff between speed, key sizes,ciphertext/signature size, etc.

I This talk is not giving an overview of the whole field. I’mfocussing on isogenies.


Lattice crypto

I Pros: Lattice crypto gives good solutions to bothencryption and signatures, plus fancy gadgets like IBE andhomomorphic encryption.

I Generally fast.

I Cons: may have large public keys/ciphertexts/signatures.1

I Problem: Estimating lattice attacks (basisreduction/enumeration/sieving) and choosing key sizes.

I Mersenne prime cryptosystem: A great target forcryptanalysis. (Aggarwal, Joux, Prakash, Santha,CRYPTO 2018)

1Someone on twitter disagrees with this statement.Steven Galbraith Post-quantum cryptography

Discrete Logarithm Problem and Diffie-Hellman

(Pre-quantum crypto)Let G be a subgroup of F∗q or E (Fq) of prime order p.Given g ∈ G and h = g a for a ∈ Z, it is hard to compute a.

Diffie-Hellman key exchange:

I Alice chooses a and sends tA = g a to Bob.

I Bob chooses b and sends tB = gb to Alice.

I Alice computes taB = g ab.

I Bob computes tbA = g ab.


Diffie-Hellman key exchange

g

g a

gb

g ab


Generalised Discrete Logarithm Problem 1: HomogenousSpaces

(Couveignes 1997)Let G be a subgroup of F∗q or E (Fq) of prime order p.For a ∈ Zp and g ∈ G define a ∗ g := g a.Given g ∈ G and h = a ∗ g , hard to compute a.

Generalised Diffie-Hellman key exchange:

I Alice chooses a ∈ Zp and sends tA = a ∗ g to Bob.

I Bob chooses b ∈ Zp and sends tB = b ∗ g to Alice.

I Alice computes a ∗ tB .

I Bob computes b ∗ tA.


Generalised Discrete Logarithm Problem 2: Grouphomomorphisms

Let G be a subgroup of F∗q or E (Fq) of prime order p.Let φ : G → G . Given g ∈ G and h = φ(g), hard to computethe group homomorphism φ.

Generalised Diffie-Hellman key exchange:

I Alice chooses φA and sends tA = φA(g) to Bob.

I Bob chooses φB and sends tB = φB(g) to Alice.

I Alice computes φA(tB).

I Bob computes φB(tA).

We can compose these homomorphisms, and they commute:φA(φB(g)) = φB(φA(g)).


Isogenies

I An isogeny φ : E1 → E2 of elliptic curves is a(non-constant) morphism and a group homomorphism.

I An isogeny has finite kernel.

I Given a finite subgroup G ⊆ E1(Fq) there is a (uniqueseparable) isogeny φG : E1 → E2 with kernel G .Can compute φG using Velu.

I We will write E2 = E1/G .

I We focus on separable isogenies, in which casedeg(φ) = # ker(φ).

I End(E ) = {isogenies φ : E → E over Fq} ∪ {0}.


Main Computational Problem Regarding Isogenies

Given E1,E2 elliptic curves over Fq such that there is anisogeny between them (i.e., #E1(Fq) = #E2(Fq)), find anisogeny φ : E1 → E2.

Issues:

I Unique?

I Representation?

I Size?

I Algorithms?

I Classical or Quantum algorithms?


Ordinary Isogeny Graph

Credit: Dustin MoodySteven Galbraith Post-quantum cryptography

Abelian group action(Kohel 1996, Couveignes 1997, Rostovtsev-Stolbunov 2006,Stolbunov 2010)

I Let E be an ordinary elliptic curve over Fq withEnd(E ) ∼= O an order in an imaginary quadratic field.

I Let a be an O-ideal.

I Can define the subgroup

E [a] = {P ∈ E (Fq) : φ(P) = 0 ∀φ ∈ a}.

(Waterhouse 1969)

I There is an isogeny E → E ′ with kernel E [a].Define a ∗ E to be E ′ = E/E [a].

I a ∗ E depends only on the ideal class of a.

I This gives an action of ideal class group Cl(O) on set ofE with End(E ) ∼= O.


Cryptography from Abelian group actions

I Couveignes describes a Diffie-Hellman-type key exchangebased on group actions.He also sketched two interactive authentication protocols.

I Rostovtsev and Stolbunov give key exchange andencryption.

I Stolbunov’s thesis describes an interactive authenticationprotocol and mentions signatures.

I Couveignes does not mention post-quantum security.

I Stolbunov (Advances Math. Comm. 2010) discussesquantum algorithms.2

“Besides being interesting from the theoretical point ofview, the proposed cryptographic schemes might also havean advantage against quantum computer attacks.”

2Also eprint 2006/145 suggests isogenies could be post-quantum secure.Steven Galbraith Post-quantum cryptography

Generalised Diffie-Hellman 1: Group action

E

a ∗ E

b ∗ E

ab ∗ E


Computational problems and algorithms

I Given E and E ′ = a ∗ E to determine the ideal (class) a.

I Classical algorithms due to Galbraith andGalbraith-Hess-Smart in time O(

√#G ) (bug fixed by

Stolbunov).

I Hidden shift problem: G an abelian group andf , g : G → S such that, for some s ∈ G , g(x) = f (xs) forall x ∈ G . Problem: find s.

I Idea: Given (E ,E ′ = a ∗ E ) define f (b) = b ∗ E andg(b) = b ∗ E ′ = f (ba).


Quantum algorithms for hidden shift

I Kuperberg (2004, 2011) gave subexponential-timequantum algorithms for hidden shift. Complexity3

2O(√

log(#G)).

I Require massive quantum storage, which may beunrealistic.

I Regev (2004) gave low quantum storage variant.

3This is taking cost O(1) for the functions f and g .Steven Galbraith Post-quantum cryptography

Kuperberg for isogenies

I Childs, Jao and Soukharev were the first to analyseKuperberg’s algorithm in the isogeny setting.

I Subexponential complexity arises twice in their work:I Computing a ∗ E requires smoothing the ideal class over a

factor base.4

I Kuperberg itself.

I Bonnetain and Schrottenloher, “Quantum SecurityAnalysis of CSIDH and Ordinary Isogeny-based Schemes”,eprint 2018/537.Gives more efficient action a ∗ E and gives variant of

Kuperberg with heuristic running time5 O(2√

log(#G)).

I Also see Biasse, Iezzi and Jacobson, “A note on thesecurity of CSIDH”, arXiv:1806.03656.

4This step improved by Biasse, Fieker and Jacobson in ANTS 2016.5Again, taking cost O(1) for a ∗ E .


Open problems

I The Kuperberg and Regev algorithms mostly classical andcombinatorial.Very like the Blum-Kalai-Wasserman (BKW) and Wagneralgorithms.

I Regev (“Quantum computation and lattice problems”,SIAM J. Comput. 2004) reduces shortest vector problemin lattice to dihedral hidden subgroup.Conversely, should be able to improve Kuperberg by usinglattice methods.

I Algorithmic number theorists should study thesealgorithms.

I Kuperberg/Regev has only been used as a black box. Arethere further optimisations/approaches/algorithms thatexploit the specific features of isogenies?


Efficient computation of DH protocol

I Need to sample ideal class as product of powers of smallprime ideals:

a ≡∏i

leii

where li are non-principal O-ideals of small prime norm.

I Then need to compute corresponding isogenies.

I Couveignes and Stolbunov do this by just choosingrandom small “Elkies primes”, using modular polynomialsand action of Frobenius on kernels.

I Couveignes: time required “a few hours”.

I Stolbunov: compute a ∗ E in 4 minutes or so.

I De Feo, Kieffer and Smith (eprint 2018/485) discusschoosing a special curve to make the isogenycomputations faster.


CSIDH (Castryck, Lange, Martindale, Panny, Renes 2018)

I Let X be the set of isomorphism classes of supersingularelliptic curves E with j-invariant in Fp.

I All E ∈ X have EndFp(E ) an order in Q(√−p).

Here EndFp(E ) = {φ : E → E defined over Fp}.I Delfs-Galbraith showed that one can define class group

actions on X .

I CSIDH is an instantiation of group action crypto usingsupersingular curves, which gives massive performanceimprovements.

I Advantages over SIDH (see later in talk) include:I No public key validation needed, so can do non-interactive key

exchange.I Better bandwidth.

I Still only sub-exponentially quantum secure due to hiddenshift algorithms.


Open problems

I How close to uniform is the distribution

a ≡∏i

leii

over uniform ei ∈ [−B ,B], for fixed small prime ideals li?(Let’s assume {li} generates the class group.)

I Can small prime factors of #Cl(O) be determined?Can subgroups of ideal class group be exploited?

I (Boneh): Find other homogeneous spaces/torsors forgroup actions that are efficient and secure for crypto.


Candidate post-quantum pairing

Very new paper by Boneh, Glass, Krashen, Lauter, Sharif,Silverberg, Tibouchi and Zhandry (eprint 2018/665).

I Fix ordinary E/Fq

I Fact: (a1 ∗ E )× (a2 ∗ E ) ∼= (a1a2 ∗ E )× E as unpolarizedabelian varieties.(Result holds more generally for n terms; see Kani 2011.)

I This is essentially a bilinar pairing (resp. multilinear map).Note: Not used for key exchange, but other more complexprotocols.

I Open problem: To find a computable invariant of theisomorphism class.


Generalised Diffie-Hellman 2: Endomorphisms

Fix an element g in a group G .

g

φA(g)

φB(g)

φA(φB(g))

φA

φB

The maps φA(x) = xa and φB(x) = xb are grouphomomorphisms such that φA ◦ φB = φB ◦ φA.


Generalised Diffie-Hellman 2: Homomorphisms

Let E be an elliptic curve and GA,GB finite subgroups suchthat GA ∩ GB = {0}.

E

EA = E/GA

EB = E/GB

E/〈GA,GB〉φA

φB

Alice and Bob need to give each other enough informationthat they can compute φA(GB) and φB(GA).Alice computes EB/φB(GA) and Bob computes EA/φA(GB).


Why supersingular?

I The endomorphism ring of a supersingular elliptic curve isa maximal order in a quaternion algebra.

I The set of (approx p/12) supersingular elliptic curves incharacteristic p is not a homogeneous space for a groupaction.

I Hence can hope to avoid subexponential attacks, such asbased on Kuperberg’s algorithm.


Jao and De Feo key exchange

I Let p = è11 è22 f ± 1 be prime.

I Let E over Fp2 be a supersingular elliptic curve.

I Then group structure of E (Fp2) is a product of two cyclicgroups of order è11 `

e22 f .

I Fix points R1, S1 ∈ E [è11 ] such that 〈R1, S1〉 = E [è11 ].

I Fix R2, S2 such that 〈R2, S2〉 = E [è22 ].

I The system parameters are (E ,R1, S1,R2, S2).



I Alice chooses a secret subgroup of E [è11 ] by choosing aninteger 0 ≤ a < è11 and setting T1 = R1 + [a]S1.

I Alice computes an isogeny φA : E → EA with kernelgenerated by T1 and publishes (EA, φA(R2), φA(S2)).

I Bob chooses 0 ≤ b < è22 , computes φB : E → EB withkernel generated by T2 = R2 + [b]S2 and publishes(EB , φB(R1), φB(S1)).

I Alice computes

T ′1 = φB(R1) + [a]φB(S1) = φB(R1 + [a]S1) = φB(T1)

and then computes an isogeny φ′A : EB → EAB with kernelgenerated by T ′1.

I Bob computes an isogeny φ′B : EA → E ′AB with kernel〈φA(R2) + [b]φA(S2)〉.



I The composition φ′A ◦ φB : E → EAB has kernel 〈T1,T2〉.I The elliptic curve equations EAB and E ′AB computed by

Alice and Bob are isomorphic.

I The shared key for Alice and Bob is j(EAB) = j(E ′AB).

I Can use for encryption, but need to avoid an active attackdue to Galbraith, Petit, Shani, Ti (2016).Hence can’t use this for static non-interactive keyexchange.


SIKE submission to NIST

I SIKE = Supersingular Isogeny Key Exchange.

I Submission to the NIST standardization process onpost-quantum cryptography.

I Authors: Jao, Azarderakhsh, Campagna, Costello, De Feo,Hess, Jalali, Koziel, LaMacchia, Longa, Naehrig, Renes,Soukharev and Urbanik.

I Submission contains specification of an IND-CCA KEM.

I http://sike.org/

I Advantage over lattice crypto: very short ciphertexts.CSIDH is even better.


Special Case of Isogeny Problem

I Given: E , R2, S2, EA, R′2, S

′2.

I Know there is an isogeny φ : E → EA of degree è11 .

I Have exponentially many interpolation points

φ([a]R2 + [b]S2) = [a]R ′2 + [b]S ′2.

I Easy to solve if given φ(R1), φ(S1).

I Attack on extreme variant: C. Petit “Faster Algorithmsfor Isogeny Problems Using Torsion Point Images”,ASIACRYPT 2017.

I Is this a hard problem?

I Decisional variant is equivalent to the computationalproblem.


Special Case of Isogeny Problem

I Classical meet-in-middle algorithm with time and space

complexity O(è1/21 ).

I Open problem: Low storage algorithm with this timecomplexity.See Adj, Cervantes-Vazquez, Chi-Domınguez, Menezesand Rodrıguez-Henrıquez, eprint 2018/313.

I Quantum “claw” algorithm. See Jao, de Feo and Plut(2014) for analysis.

I Biasse, Jao, and Sankar give a quantum algorithm for thegeneral supersingular isogeny problem.


More open problems

I New quantum or classical algorithms?

I Find a random-self-reduction for this isogeny problem.This is easy in the group action setting: Given(E ,EA = a ∗ E ) then (b ∗ E , b′ ∗ EA) is a uniformly choseninstance.

I Find an efficient public key signature scheme.See Yoo et al (2017) and Galbraith, Petit, Silva (2017).


Quaternion Analogues

I Given two supersingular elliptic curves E1,E2 incharacteristic p let O1 = End(E1) and O2 = End(E2).

I Then Hom(E2,E1) is a left-O1 module and aright-O2-module.Since if α ∈ O1, ρ : E2 → E1 and β ∈ O2 then αρβ maps

E2β−→ E2

ρ−→ E1α−→ E1.

I If φ : E1 → E2 is an isogeny of elliptic curves thenI = Hom(E2,E1)φ is a left-O1-ideal with right order O2.

I Conversely a left-O1-ideal I defines an isogeny with kernel

E1[I ] = ∩φ∈I ker(φ).


Quaternion AnaloguesI Quaternion analogue of the isogeny problem: Given

maximal orders O1 and O2, find a left-O1-ideal I withright order O2.

I This problem is easy. Can even find such an ideal I oftwo-power or power-smooth norm.D. Kohel, K. Lauter, C. Petit and J.-P. Tignol, On the quaternion

`-isogeny path problem, ANTS 2014.

I Indeed, can convert an ideal to an isogeny between thecorresponding curves.

I Given an arbitrary supersingular curve E1 it is hard tocompute the maximal order O1 = End(E1).

I Hence, hard to transform an isogeny problem (E1,E2) to aquaternion order problem (O1,O2).

I K. Eisentrager, S. Hallgren, K. E. Lauter, T. Morrison, C. Petit,

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions

and Solutions, EUROCRYPT 2018.


Conclusion

I Post-quantum crypto is very active.

I There are plenty of good problems for arithmeticgeometers and algorithmic number theorists to study.

I I’m happy to discuss these problems with you during theconference.


Thank You


Documents

Current trends and challenges in post-quantum cryptographysgal018/ANTS2018.pdf · Plan I Post-quantum cryptography and the NIST \process" I Computational problems from isogenies I